Website visitors are still being redirected after "fixing" the damage from a conditional redirect website attack

Posted by Shannon on Server Fault See other posts from Server Fault or by Shannon
Published on 2012-07-10T04:20:31Z Indexed on 2012/07/10 9:17 UTC
Read the original article Hit count: 248

Filed under:

hacked

BACKGROUND

A website of mine was recently the target of a conditional redirect attack.

PHP code was added to my pages to redirect visitors.
The .htaccess file was edited to redirect visitors.

I've re-uploaded my website so the compromised PHP and .htaccess code have both been removed.

My site is mostly handwritten php and static HTML content. I don't use page comments or any third party libraries.

THE PROBLEM

After removing the compromised php and htaccess files, visitors are still being re-directed.

What could be the reason that visitors are still being redirected?
Are there any tools to check where/how redirects are taking place so I can debug the problem?

UPDATE - PROBLEM FIXED

As suggested in the comments, I cleared my Firefox cache and that fixed the problem (for me anyway). Visitors with old cache data will obviously still be re-directed.

Related posts about hacked

Finding how a hacked server was hacked

as seen on Server Fault - Search for 'Server Fault'
I was just browsing through the site and found this question: My server's been hacked EMERGENCY. Basically the question says: My server has been hacked. What should I do? The best answer is excellent but it raised some questions in my mind. One of the steps suggested is to: Examine the… >>> More
IIS site hacked with ww.robint.us malware

as seen on Server Fault - Search for 'Server Fault'
A bunch of IIS sites got hacked with a javascript malware pointing to ww.robint.us/u.js. Google cache says more than 1,000,000 different pages got affected: http://www.google.com/#hl=en&source=hp&q=http%3A%2F%2Fww.robint.us%2Fu.js http://blog.sucuri.net/2010/06/mass-infection-of-iisasp-sites-robint-us… >>> More
Router/Security question: Am I hacked?

as seen on Super User - Search for 'Super User'
Hi, all. I've noticed that my home broadband speed seems to be a bit slow in recent days. I noticed, last night, that my Wireless Router had given a DHCP lease to a public IP address with an odd formation; something like 111.10.11.110. Should I consider these warning sings of my ZyXEL router being… >>> More
Windows Server 2003 Hacked - Files Being Uploaded

as seen on Server Fault - Search for 'Server Fault'
Blank directories are being created on my Windows Server 2003 virtual server with sub directories that are weird (for example: "88ÿ ÿ ÿÿþþ þþ13þ"). It looks like they are uploading bootlegged DVDs and pirated software. All of my bandwidth and file space is being eaten up. Could this be a shared… >>> More
Linux Server hacked?

as seen on Server Fault - Search for 'Server Fault'
I'm trying to determine if this linex webserver/openfire server has been compromised by some form of malware or a hacker. Can you please help me determine if this server has been hacked? The snippet of logs below are from the linux server running apache. A few days ago the moodle site, which is installed… >>> More

Developer IT